LEGAL IMPLICATIONS OF DATA BREACHES AND CYBER SECURITY INCIDENTS

This article is written by Sejal Ben Patelof 2^nd Semester of University Law College, Utkal University, Bhubaneswar, an intern under Legal Vidhiya

Abstract

Data breach and cyber security incidents have become much frequent nowadays in this digital era. Data breach has various causes and consequences resulting in many cyber security incidents. However various steps to regulate and safeguard the data and prevent cyber security incidents various regulations and laws are made and a collaborative effort of individuals, businesses and governments are made to prevent them. This work provides a comprehensive view of  data breach, its causes and consequences, responsibilities, liabilities and regulations, laws navigating data breach and cyber security incidents.

Keywords

Data breach, cyber security, laws, causes, consequences

Introduction

In today’s digital era data breach and cyber security has become a prevalent concern for individuals, businesses and governments. A data breach occurs when unauthorized individuals gain access to information, putting privacy, security and integrity at risk. The implications of data breach are far reaching and multifaceted.

For individuals, the disclosure of personal data such as social passwords, credit card details, etc. can lead to identity theft, financial loss and emotional distress.

For businesses, the fallout from data breach can be devastating. Businesses incur financial loss through legal fees, compensation, regulatory fines, etc. Beside those businesses faces reputational damages and brand’s image for years to come. The loss of intellectual property can jeopardize competitive advantage and market position.

It is essential to understand the various major causes of data breach and its effect to address and prevent them. Addressing data breaches requires a multifaceted approach encompassing technical, organizational and regulatory measures.

Government plays a crucial role in establishing and enforcing data protection laws

Data Breach

Data breach is the unauthorized exposure, disclosure or loss of personal information. A data breach is an incident where sensitive, confidential information is accessed without authorization. Data breach is the disclosure of personal information into an unsecured environment. A data breach is an incident where information is stolen or taken from a system without the knowledge or authorization of system’s owner. 

Causes of Data Breach

Data breach can occur from various factors. This can happen due to cyber-attacks, insider threats, accidental exposure, weak security, lack of awareness, data mishandling, regulatory compliance issue, etc.

1. Cyber attack

Cyber-attack is disclosure of data through unauthorized access to a network, computer system or digital device. Cyber-attack includes malware infections, phishing attacks and other malicious activities targeting sensitive or confidential data or information.

a) Malware

Malware is malicious software or say it a file or code developed by cybercriminals like Hackers, to steal data and damage computers and computer system. Malware software includes viruses, worms, Trojans and ransom ware that can infiltrate systems to steal, damage, or encrypt data.

b) Phishing

Phishing attack is a type of cyber-attack done through fraudulent communication. Cybercriminals use misleading emails, messages or websites to trick individuals into revealing sensitive information.

2. Insider Threat

Insider threat is a threat to an organization that comes from the people within the organization such as employees, contractors, etc. Insider threat is a threat where an insider uses authorized access intentionally or unintentionally to harm the organization.

3. Weak Security Measure

A weakness in an IT system that can be manipulated by an attacker to carry out a successful attack. Weak security measures such as inadequate security protocols, outdated software, poor data encryption, etc. can leave system vulnerable to breaches.

4. Lack of Awareness

Lack of awareness is a much big cause of data breach. Lack of awareness due to insufficient training and awareness programs for employees regarding data security practices can increase the risk of breaches.

5. Data Mishandling

Data is mishandled when it is managed or dealt ineffectively. Improper handling, storage or disposal of data can lead to breaches, especially when sensitive information is involved.

6. Regulatory Compliance Issue

Regulatory compliance is adherence to law, regulations, and guidelines. Failure to comply with any data protection regulations such as Information Technology Act, Digital Personal Data Protection Act, Reserve Bank of India guidelines, General Data Protection Regulation (GDPR) can result in breaches and even legal consequences

Effect of Data Breach

Data breach consequences can be significant. Consequences of data breach depend on the type of data involved. The consequences of data breach are far reaching and deeply impactful. The consequences of data breach involve financial loss, reputational damage, legal consequences, loss of intellectual property, operational disruption, etc. The effect of data breach can be long lasting, affecting an organization’s bottom line, market position, and brand reputation for years to come. Following are some of the effects of data breach.

• Financial Loss

The financial loss due to data breach is one of the immediate consequences that the organizations have to deal with. Organizations may incur substantial financial loss that includes compensation payouts, investigating breach, legal fees, regulatory fines, etc.

• Reputational Damage

The reputational damage resulting from data breach can be devastating. Data breaches can erode trust and confidence in organizations leading to a loss of customers, partners and investors.

• Legal Consequences

Non-compliance with data protection laws and guidelines can result in regulatory penalties and lawsuits, further increasing financial liabilities. If the data security is compromised, whether intentional or unintentional, individuals can seek legal action to claim compensation.

• Loss of Intellectual Property

Data breaches can expose proprietary information, trade secrets and other valuable intellectual property, undermining competitive advantage. The loss of intellectual property can result in significant financial losses that include decreased market share, lost revenues, litigation cost, etc. 

• Operational Disruption

Business operations are significantly disrupted due to data breach. Breaches can disrupt business operations leading to downtime, productivity losses, and increased cyber security spending to remediate the breach and strengthen defenses.

Responsibilities, Liabilities and Regulations of Individuals

• Responsibility

Individuals have a responsibility to safeguard their own personal information by practicing good cyber security hygiene, such as using strong passwords, being cautious of phishing attempts, and keeping software up to date.

It is the duty of the individual to report about their data breach to relevant authority. 

• Liability

Individuals may face legal and financial liabilities if they are found to be negligent in protecting their own data.

• Regulation

The Digital Personal Data Protection Act, 2023 in India impose certain obligations on individuals regarding the handling and protection of personal data.

Individuals have rights under these regulations, such as right to be informed about how their data is being used, the right to access their own data, right to request for deleting of their data under certain circumstances.

Overall, individual may not bear the primary responsibility for preventing data breach, but they play a crucial role in maintaining data security through responsible behavior and compliance with relevant regulations.

Responsibilities, Liabilities and Regulations Of Organization

• Responsibility

Organizations are responsible for implementing robust cyber security measures to protect the personal and sensitive data they collect, process and store.

Organizations must establish comprehensive data security policies, procedures and protocols to mitigate the risk of breaches, including encryption, access controls, and regular security assessment.

Organizations should provide adequate training and awareness programs to employees to ensure they understand their roles and responsibilities in maintaining data security.

• Liability

Organizations can face substantial legal, financial, and reputational liabilities in the event of a data breach. They may include regulatory fines, lawsuits, compensation payouts, and damage to brand reputation.

Failure to fulfill legal obligations such as timely notification of affected individuals or regulatory authorities can result in increased liabilities and penalties.

• Regulation

Organizations are subject to data protection regulation such as The Digital Personal Data Protection Act, 2023 in India and other industry specific regulations.

These regulations impose requirements on organizations regarding the collection, processing, storage, and security of personal data. They also outline obligations for breach notification, data subject rights, and accountability.

Organizations need to undergo audits, assessments, and certifications to demonstrate compliance with relevant regulations.

Overall, organizations bear significant responsibility for preventing data breaches, safeguarding sensitive information and complying with data protection regulations to protect the interests of individuals and maintain trust with stakeholders.

Laws Navigating Data Breach In India

The release of confidential data from a secured location to an unsecured site is a data breach. The growing data breaches have made peoples and authorities cautious and to navigate those data breach there are some laws made for regulation of data breach.

In India data breach laws and regulations primarily revolve around the information technology act and its amendments. The IT act along with some other new laws and regulatory guidelines provide the legal framework for data protection and cyber security in the country.

Following are some key aspects of data breach laws in India:-

The Information Technology Act, 2000[1]

The Information Technology Act, 2000 is a law that deals with digital aspects such as cybercrime, electronic commerce, digital signatures, etc. The IT act is an important legislation that provides legal recognition for the issues related to cybercrime such as identity theft, unauthorized access to computer system. It includes provision for compensation for failure to protect data, punishment for cybercrime offences and the establishment of a cyber appellate tribunal.

a) Section 43[2]

Section 43 of The Information Technology Act, 2000 provides penalty, compensation for damage to computer, computer system, etc.

Whoever without the permission of the person in charge of the computer system accesses, downloads any data, introduces computer virus, causes denial of access will be liable to penalty and compensation for damage.

b) Section 43A[3]

Section 43A of The Information Technology Act, 2000 deals with the compensation for failure to protect data.

It deals with compensation for failure to protect data. It holds entities responsible for protecting sensitive personal data and requires them to compensate affected individuals for negligence in implementing and maintaining reasonable security practices and procedures.

c) Section 66C[4]

Section 66C of The Information Technology Act, 2000 provides punishment for Identity Theft.

It criminalizes the act of fraudulent or dishonesty of using another person’s electronic signature, passwords, or any other unique identification feature with the intent to cause harm. Violators can face imprisonment for a term which may extend to three years and shall be liable to fine which may extend to rupee one lakh.

d) Section 72[5]

Section 72 of The Information Technology Act, 2000 provides penalty for breach of confidentiality and privacy.

If any person who have the access to any electronic record, book, information, document or other material of a person, without the consent of that person discloses such data to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees or both.

The above discussed The Information Technology Act, 2000 deals with various provisions related to cyber security. Above discussed are some of the important provisions of the act related to data breach.

Information Technology Rules, 2011

These rules outline specific requirements for handling sensitive personal data or information (SPDI) by entities collecting, storing or processing such data. They mandate reasonable security practices and procedures to protect the confidentiality and integrity of SPDI and require entities to obtain consent from individuals before collecting their personal information.

Digital Personal Data Protection Act, 2023[6]

An act to provide for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data and the need to process such personal data for lawful purposes. The Act aims to provide individuals the control over their data and establish obligations for entities handling such data.

The act provides for classification of sensitive data, appointment of data protection officers by entities, establishment of a Data Protection Authority (DPA) to look after and enforce compliance of the provisions for data protection.

Under the Digital Personal Data Protection Act, 2023 organizations are required to follow various reporting requirements to ensure compliance and transparency in their data processing activities. These reporting requirements include data breach notification, data protection impact assessment, annual report, appointment of data protection officer, regulatory notifications. These reporting requirements are designed under DPDPA to promote accountability, transparency, compliance with data protection regulations, ultimately enhancing individual’s confidence in the handling of their personal data.

The Digital Personal Data Protection Act, 2023 (DPDPA) plays a vital role in shaping the future of privacy in digital age.

Reserve Bank of India (RBI) Guidelines

The Reserve Bank of India (RBI) has issued guidelines to address data breaches in the financial sector. RBI issues guidelines and directives for banks and financial institutions concerning data protection and cyber security. These include data breach notification, investigation and remediation, customer communication, regulatory reporting, risks assessment, compliance monitoring, etc. The RBI’s guidelines for data breach aims to enhance the resilience of the financial sector against cyber threats and protect the interest of consumers by prompt detection, response, and remediation of data security incidents.

The existing legal framework provides some level of protection against data breaches and unauthorized access to personal information in India. As the digital landscape evolves and cyber security threats continue to increase, India develops legal landscape surrounding breaches and cyber security to meet the challenges. Digital Personal Data Protection Act, 2023 (DPDPA) is a significant mark towards a comprehensive legal framework for overall data protection in India. Organizations should adapt to these changes prioritizing data protection to navigate the legal complexities of digital era in India.

Cyber Security Incidents

A cyber security incident is any attempted or successful unauthorized access, disclosure or misuse of computing systems, data pr networks including hacking and theft.

India is facing rise in cyber-attack cases in 2023. A rise of 15% in cyber-attack cases has been observed. India has emerged as the 2^nd most targeted nation.[7]

Following are some of the data breaches that might have occurred as per the reports-

Personal details of 30 million railway users were compromised on dark web.[8]

Customer data of 7.5 million boat customers leaked on dark web.[9]

The massive Aadhaar data breach exposes personal information of about 81 crore Indians on dark web. The leaked data in Aadhar leak discloses personal information that includes name, address, phone number, age, passport information.[10]

Conclusion

Data breaches represent a significant and evolving threat in today’s digital landscape with profound implications for individuals, businesses and society as a whole. By having knowledge about the various causes of breaches and implementing cyber security measure organizations can mitigate their risk exposure and protect sensitive data from unauthorized access.  Regulatory frameworks and industry standards play a crucial role in promoting accountability and transparency in data handling process. A collaborative effort involving government, industry and individuals is necessary to effectively address the complex challenges posed by data breaches and safeguard the integrity of digital ecosystem.

References

• The Information Technology Act, 2000 (section 43, 43A, 66C, 72)
• Digital Personal Data Protection Act,2023
• Cyber Attack Cases in 2023, live mint  https://www.livemint.com/news/india/india-witnesses-15-rise-in-cyber-attack-cases-in-2023-emerges-as-2nd-most-targeted-nation/amp-11705939863447.html
• Railway user data, business standard https://www.business-standard.com/article/current-affairs/data-of-30-million-railway-users-compromised-personal-details-on-dark-web-122122801012_1.html
• Data of boat customer, business standard https://www.business-standard.com/companies/news/data-of-7-5-mn-boat-customers-leaked-on-dark-web-forbes-india-report-124040800627_1.html
• Aadhar data leak, live mint https://www.livemint.com/news/india/aadhaar-data-leak-massive-data-breach-exposes-815-million-indians-personal-information-on-dark-web-details-here-11698712793223.html

---

[1] The Information Technology Act, 2000

[2] Section 43 in The Information Technology Act, 2000, https://indiankanoon.org/doc/39800/ , last visited 18 April, 2024

[3] Section 43A in The Information Technology Act, 2000,  https://indiankanoon.org/doc/76191164/ , last visited 18 April, 2024

[4]Section66CinTheInformationTechnologyAct,2000, https://indiankanoon.org/doc/118912881/#:~:text=Whoever%2C%20fraudulently%20or%20dishonestly%20make,extend%20to%20rupees%20one%20lakh , last visited 18 April, 2024

[5] Section 72 in The Information Technology Act, 2000, https://indiankanoon.org/doc/1480903/, last visited 18 April, 2024

[6] Digital Personal Data Protection Act,2023

[7] Cyber Attack Cases in 2023, live mint  https://www.livemint.com/news/india/india-witnesses-15-rise-in-cyber-attack-cases-in-2023-emerges-as-2nd-most-targeted-nation/amp-11705939863447.html, last visited 18 April, 2024

[8] Railway user data, business standard https://www.business-standard.com/article/current-affairs/data-of-30-million-railway-users-compromised-personal-details-on-dark-web-122122801012_1.html  , last visited 18 April, 2024

[9] Data of boat customer, business standard https://www.business-standard.com/companies/news/data-of-7-5-mn-boat-customers-leaked-on-dark-web-forbes-india-report-124040800627_1.html  , last visited 18 April, 2024

[10] Aadhar data leak, live mint https://www.livemint.com/news/india/aadhaar-data-leak-massive-data-breach-exposes-815-million-indians-personal-information-on-dark-web-details-here-11698712793223.html, last visited 18 April, 2024

Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or the materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is of a personal nature.